← Back to BlogPhishing Types

Vishing: When the Phone Call Is the Scam

Vishing: When the Phone Call Is the Scam

Picture this: your phone rings. The caller ID says it's the ATO. A professional-sounding voice tells you that you have an outstanding tax debt and if you don't pay immediately, the police will be dispatched to your home or business.

Your heart rate spikes. You start thinking about whether you've filed everything correctly. And before you know it, you're reading out your credit card number to a scammer sitting in a call centre on the other side of the world.

This is vishing — voice phishing — and it's one of the most psychologically effective scams around.

What is vishing?

Vishing is phishing conducted via voice call. Scammers call victims and pretend to be from trusted organisations — banks, the ATO, the Australian Federal Police, Telstra, Microsoft, or even your internet provider — to extract sensitive information or payment.

Voice phishing incidents have grown by over 400% in recent years globally, and Australia is far from immune. The rise of AI voice cloning has made things significantly worse — it's now possible to clone someone's voice with just a few seconds of audio. That means scammers can call you pretending to be your actual boss.

Common vishing scripts:

  • "ATO debt": You owe tax. Pay now or face arrest. (The ATO doesn't work this way.)
  • "Your computer has a virus": A "Microsoft technician" needs remote access to fix it. (They want to install malware or steal data.)
  • "Bank fraud detected": Someone's used your card. We need to verify your details. (They want your card details.)
  • "Investment opportunity": A "broker" promises guaranteed returns. (It's investment fraud.)
  • "This is a police officer": You're under investigation for money laundering. Pay a fine immediately or be arrested. (The AFP doesn't call demanding on-the-spot payments.)

The AI upgrade

AI-powered voice cloning has taken vishing to a new level. Scammers can now:

  • Clone a CEO's or director's voice using audio from public videos
  • Call a finance team member pretending to be the boss
  • Instruct them to make an urgent bank transfer
  • And hang up before anyone gets suspicious

This type of attack — known as "CEO fraud" or "BEC via voice" — has cost Australian businesses millions.

How to protect yourself and your business:

  1. Hang up and call back. If someone from "your bank" calls, hang up and call the bank directly using the number on their official website or the back of your card.
  2. Never give personal details to an inbound caller. You don't know who's actually calling. Legitimate organisations won't mind if you call them back.
  3. Establish a verbal code word with your team. For high-value instructions (like transfers), create a verification process that requires a code or a second sign-off.
  4. Trust your gut. If the call feels high-pressure, urgent, or off — it probably is.
  5. Report it. Report vishing attempts to the ACCC Scamwatch at scamwatch.gov.au.

For business owners specifically

Make sure your finance and admin staff know the golden rule: no legitimate organisation or executive will demand urgent payment by phone without a paper trail. If someone calls asking for a same-day bank transfer, require email confirmation from a known address and verbal approval from a second person.

It might feel like extra admin. It might save you $46,000.

Sharpen your scam radar at Phishbate →

Think you can spot a phish?

Put your knowledge to the test with the Phishbate interactive quiz. It only takes a few minutes.

Take the Quiz →